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Abstract 

Alice and Bob want to run a protocol over a noisy channel, where a certain number of bits are flipped 
adversarially. Several results take a protocol requiring L bits of noise-free communication and make it 
robust over such a channel. In a recent breakthrough result, Haeupler described an algorithm that sends 
a number of bits that is conjectured to be near optimal in such a model. However, his algorithm critically 
requires a priori knowledge of the number of bits that will be flipped by the adversary. 

We describe an algorithm requiring no such knowledge. If an adversary flips T bits, our algorithm 
sends L + O (^-s/L{T + 1) log L + tJ bits in expectation and succeeds with high probability in L. It does 
so without any a priori knowledge of T. Assuming a conjectured lower bound by Haeupler, our result is 
optimal up to logarithmic factors. 

Our algorithm critically relies on the assumption of a private channel. We show that privacy is 
necessary when the amount of noise is unknown. 


1 Introduction 

How can two parties run a protocol over a noisy channel? Interactive communication seeks to solve this 
problem while minimizing the total number of bits sent. Recently, Haeupler |14j gave an algorithm for this 
problem that is conjectured to be optimal. However, as in previous work [ZniElllllellllllllllSllig, his 
algorithm critically relies on the assumption that the algorithm knows the noise rate in advance, i.e., the 
algorithm knows in advance the number of bits that will be flipped by the adversary. 

In this paper, we remove this assumption. To do so, we add a new assumption of privacy. In particular, 
in our model, an adversary can flip an unknown number of bits, at arbitrary times, but he never learns the 
value of any bits sent over the channel. This assumption is necessary: with a public channel and unknown 
noise rate, the adversary can run a man-in-the-middle attack to mislead either party (see Theorem 16.11 
Section ini). 

Problem Overview We assume that Alice and Bob are connected by a noisy binary channel. Our goal is 
to build an algorithm that takes as input some distributed protocol tt that works over a noise-free channel 
and outputs a distributed protocol tt' that works over the noisy channel. 

We assume an adversary chooses tt, and which bits to flip in the noisy channel. The adversary knows our 
algorithm for transforming tt to tt' . However, he neither knows the private random bits of Alice and Bob, 
nor the bits sent over the channel, except when it is possible to infer these from knowledge of tt and our 
algorithm. 

We let T be the number of bits flipped by the adversary, and L be the length of tt. As in previous work, 
we assume that Alice and Bob know L. 
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Our Results Our main result is summarized in the following theorem. 

Theorem 1.1. Algorithm 3 tolerates an unknown number of adversarial errors, T, succeeds with high prob¬ 
ability in the transcript length, L, and if successful, sends in expectation L O L{T + 1) log L 
bits. 

The number of bits sent by our algorithm is within logarithmic factors of optimal, assuming a conjecture 
from [14] (see Theorem I6.3|) . 

Results in this paper first appeared in conference proceedings |8]. 

1.1 Related Work 

For L bits to be transmitted from Alice to Bob, Shannon [22] proposes an error correcting code of size 0{L) 
that yields correct communication over a noisy channel with probability 1 — At first glance, this 

may appear to solve our problem. But consider an interactive protocol with communication complexity L, 
where Alice sends one bit, then Bob sends back one bit, and so forth where the value of each bit sent depends 
on the previous bits received. Two problems arise. First, using block codewords is not efficient; to achieve 
a small error probability, “dummy” bits may be added to each bit prior to encoding, but this results in a 
superlinear blowup in overhead. Second, due to the interactivity, an error that occurs in the past can ruin 
all computation that comes after it. Thus, error correcting codes fall short when dealing with interactive 
protocols. 

The seminal work of Schulman [niEo] overcame these obstacles by describing a deterministic method 
for simulating interactive protocols on noisy channels with only a constant-factor increase in the total com¬ 
munication complexity. This work spurred vigorous interest in the area (see [3] for an excellent survey). 

Schulman’s scheme tolerates an adversarial noise rate of 1/240. It critically depends on the notion of a 
tree code for which an exponential-time construction was originally provided. This exponential construction 
time motivated work on more efficient constructions [sidiiiis]. There were also efforts to create alternative 
codes [TT] [T^ . Recently, elegant computationally-efficient schemes that tolerate a constant adversarial noise 
rate have been demonstrated [HIE]. Additionally, a large number of powerful results have improved the 
tolerable adversarial noise rate [HKHnniis]. 

The closest prior work to ours is that of Haeupler [14] . His work assumes a fixed and known adversarial 
noise rate e, the fraction of bits flipped by the adversary. Communication efficiency is measured by commu¬ 
nication rate which is L divided by the total number of bits sent. Haeupler [14] describes an algorithm that 
achieves a communication rate of 1 — 0{yjclog log(l/e), which he conjectures to be optimal. We compare 
our work to his in Section [51 

Feinerman, Haeupler and Korman [^ recently studied the interesting related problem of spreading a 
single-bit rumor in a noisy network. In their framework, in each synchronous round, each agent can deliver 
a single bit to a random anonymous agent. This bit is flipped independently at random with probability 
1/2 — e for some fixed e > 0. Their algorithm ensures with high probability that in 0(logn/e^) rounds and 
with 0(nlogn/e^)) messages, all nodes learn the correct rumor. They also present a majority-consensus 
algorithm with the same resource costs, and prove these resource costs are optimal for both problems. 

1.2 Formal Model 

Our algorithm takes as input a protocol tt which is a sequence of L bits, each of which is transmitted either 
from Alice to Bob or from Bob to Alice. As in previous work, we also assume that Alice and Bob both know 
L. We let Alice be the party who sends the first bit in tt. 

Channel Steps We assume communication over the channel is synchronous and individual computation 
is instantaneous. We define a channel step as the amount of time that it takes to send one bit over the 
channel. 

'^Specifically with probability at least 1 — ^ ^ 
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Silence on the Channel When neither Alice nor Bob sends in a channel step, we say that the channel 
is silent. In any contiguous sequence of silent channel steps, the bit received on the channel in the first step 
is set by the adversary for free. By default, the bit received in subsequent steps of the sequence remains the 
same, unless the adversary pays for one bit flip in order to change it. In short, the adversary pays a cost of 
one bit flip each time it wants to change the value of the bit received in any contiguous sequence of silent 
steps. 

1.3 Overview of Our Result 

Challenges Can we adapt prior results by guessing the noise rate? Underestimation threatens correctness 
if the actual number of bit flips exceeds the algorithm’s tolerance. Conversely, overestimation leads to sending 
more bits than necessary. Thus, we need a protocol that adapts to the adversary’s actions. 

One idea is to adapt the amount of communication redundancy based on the number of errors detected 
thus far. However, this presents a new challenge because the parties may have different views of the number 
of errors. They will need to synchronize their adaptions over the noisy channel. This is a key technical 
challenge to achieving our result. 

Another technical challenge is termination. The length of the simulated protocol is necessarily unknown, 
so the parties will likely not terminate at the same time. After one party has terminated, it is a challenge 
for the other party to detect this fact based on bits received over the noisy channel. 

A high-level overview of how we address these challenges is given in Section 12.41 

1.4 Paper Organization 

The rest of this paper is organized as follows. In Section [2 we describe a simple algorithm for interactive 
communication that works when T = 0(L/log L). We analyze this algorithm in Section [31 In Section |T1 
we describe an algorithm for interactive communication that works for any finite T ; we prove this algorithm 
correction in Section [SJ Section [5] gives some relevant remarks, including justifying private channels and 
comparing our algorithm with past work. Finally, we conclude and give directions for future work in Section[71 


2 Bounded T - Algorithm 

In this section, we describe an algorithm that enables interactive communication problem when T = 
0{L/log L). 

2.1 Overview, Notation and Definitions 

Our algorithm is presented as Algorithm |T] The overall idea of the algorithm is simple: the parties run the 
original protocol tt for a certain number of steps as if there was no noise. Then, Alice determines whether 
an error has occurred by checking a fingerprint from Bob. Based on the result of this verification, the 
computation of tt either moves forward or is rewound to be performed again. 

2.2 Helper Fnnctions 

Before giving details of the algorithm, we first describe some helper functions and notation (see Figure [TJ. 

Fingerprinting To verify communication, we make use of the following well-known theorem. 

Theorem 2.1. [Naor and Naor JT^] For any positive integer C and any probability p, there exists a hash 
function T that given a uniformly random bit string S as the seed, maps any string of length at most C bits 
to a bit string hash value H, such that the collision probability of any two strings is at most p, and the length 
of S and FI are [S'! = 0(log(£/p)) and \F[\ = 0(log(l/p)) bits. 
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The length of the protocol to be simulated. 

The L-bit protocol to be simulated, augmented by random bits to length ^1 + 

The result of the computation of the next i bits of tt after history T. 

Initial round size in the algorithm. This is the smallest power of 2 that is greater than \/LF. So 

y/LF <Ro< 2y/LF 

The length of the fingerprint. 

Alice’s tentative transcript. 

Bob’s tentative transcript. 

Alice’s verified transcript. 

Bob’s verified transcript. 

The first i bits of T. If |T| < L this is null 

Figure 1; Glossary of Notation 



We define two functions based on this theorem, h and MatchesFP. In this section, we will write h^, to 
denote that the probability of error p is polynomial in L. In particular, we can set p = 1/T^, with fingerprints 
of size O(logi). The function hi(T) takes a transcript T and returns a tuple (s,/), where s is uniformly 
random bit string and / is the output of the hash function F in the theorem above when given inputs s and 
T. We refer to this tuple as the fingerprint of T. 

The function MatchesFP((s,/), T) takes a hngerprint (s,/) and a transcript T. It returns true if and 
only if the output of F when given bit string s and transcript T is equal to the value /. In both of these 
functions, the total length of the fingerprint is given by the value F, which will be defined later. 


Algebraic Manipulation Detection Codes Our result makes critical use of Algebraic Manipulation 
(AMD) Codes from [7]. These codes provide three functions: amdEnc, IsCodeword and amdDec. The 
function amdEnc(77i) creates an encoding of a message m. The function IsCodeword(m') returns true if and 
only if a received message m' is equal to amdEnc(m) for some sent message m. The function amdDec(m') 
takes a received value m', where IsCodeword)™'), and returns the value m such that amdEnc)™) = m'. 
Intuitively, AMD Codes enable detection of bit corruptions on encoded words, with high probability. 

We make use of the following theorem about AMD codes. This is a slight rewording of a theorem from [7] . 

Theorem 2.2. ^ For any i5 > 0, there exists functions amdEnc, IsCodeword and amdDec, such that, for 
any bit string m of length x: 

• amdEnc)™) is a string of length x + C'log(l/i5), for some constant C; 

• IsCodeword(amdEnc(™)) and amdDec(amdEnc(™)) = m; 

• For any bit string s 0 of length x, Pr(IsCodeword(amdEnc(™) 0 s)) < 6 

In this section, we set i5 = 1 jif and add 0(log L) additional bits to the message word. Also in this section, 
we will always encode strings of size O(logL), so the AMD encoded messages will be of size O(logL). 

In the algorithm, we will denote the fixed length of the AMD-encoded fingerprint by F. 

2.3 Remaining Notation 

Transcripts We define Alice’s tentative transcript, Ta-, as the sequence of possible bits of tt that Alice has 
either sent or received up to the current time. Similarly, we let Tb denote Bob’s transcript. Eor both Alice or 
Bob, we define a verified transcript to be the longest prefix of a transcript for which a verihed hngerprint has 
been received. We denote the verihed transcript for Alice as 7)1, and for Bob as 7g. The notation T ^ T' 
signihes that a transcript T is a prehx of a transcript T'. 
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Rounds We define one of Alice’s rounds as one iteration of the repeat loop in Alice’s protocol. Alice’s 
round consists of channel steps, where is the round size value maintained by Alice. Similarly, we define 
one of Bob’s rounds as one iteration of the repeat look in Bob’s protocol. Such a round consists of ri, channel 
steps, where r^, is the round size for Bob. 

Other Notation For a transcript T and integer i, we define T[0 : i] to be the first i bits of T. For two 
strings x and y, we define a; © y to be the concatenation of x and y. 

2.4 Algorithm Overview 


Algorithm 1: Bounded Error Interactive Communication 


ALICE’S PROTOCOL 


BOB’S PROTOCOL 

1 

Ta ^ null', 72 ^ null', 

1 

Tb •«— null; T2 ^ null; 


rua ^ 0; r-a -(- Rq', 


mb •«- 0; rfc ^ Rq; 

2 

repeat 

2 

repeat 

3 

Ra ^ amdEnc(mo,ra, IT^’I); 

3 

Receive Alice’s F-bit message, F'; 

4 

Send Ra] 

4 

if all bits of F^ are equal then 

5 

Append TT[Ta,ra- 7F] to Ta', 


// Alice has likely left; 

6 

Receive Bob’s F-bit message, 

5 

Output T2 [0 : L] and 

7 

if IsCodeword(Fj) then 


Terminate; 

8 

if \T2 1 > L then 

6 

if IsCodeword(F^) then 

9 

Output Ta’p : L] and 

7 

{m,r,t) ^ amdDec(F'); 


Terminate; 


// synchronize values; 

10 

T ^ amdDec(Fj); 

8 

Xb x; 

11 

if MatchesEP(F, Til) then 

9 

mb •<— m; 


// successful round; 

10 

if £ > \TC\ then 

12 

r: ^ Ta', 

11 

V ^ %; 

13 

else 

12 

else 


// round failed; 

13 

Tb^V; 

14 

Ta^Ta*; 

14 

Append n[Tb,Xb- 2F] to 7b ; 

15 

nia ^ ma + 1; 

15 

Fb ^ amdEnc(hi(7b)); 

16 

if 1 + nia is a power of 4 then 

16 

Send Fb; 

17 

Xa <- ra/2'. 

17 

else 


until rUa = ^ - 1; 


// corruption occurred; 


18 

Send random bits for Xb — F steps; 



19 

mb ^ m-b + 1 ; 



20 

if 1 + mb is a power of 4 then 



21 

rb rb/2; 




until mb = ^ - 1; 


To facilitate discussion of the algorithm, we first state some important properties of rounds (proven in 
Section [3|). First, the size of any round is always a power of two. Second, the start of each of Bob’s rounds 
always coincides with the start of one of Alice’s rounds. This ensures that whenever Bob is listening for the 
message J"', Alice will be sending such a message. 

We first describe one of Alice’s rounds in which 1) neither Alice nor Bob terminate; and 2) there are no 
adversarial bit flips. In such a round, Alice sends an encoded message containing two pieces of information. 
These are ma, which is the number of failed rounds Alice has counted so far; and |7(j*|, which is the size of 
Alice’s verified transcript. 
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When Bob decodes this message, he synchronizes several values with Alice. In particular, he sets his 
round size value, rf,, and mistake estimate value, nib, so they equal the values Alice sent. Then, based on 
\T*\, Bob either increases the length of his verified transcript, or else decreases the length of his tentative 
transcript. After this synchronization, Alice and Bob both compute a certain number of bits of tt and add 
these to their tentative transcripts. Finally Bob sends an encoded fingerprint to Alice. She verifies this 
fingerprint, and then adds the bits of tt computed during this round to her verified transcript. 

There are two key ways in which adversarial bit flips can alter the above scenario. First, when the 
encoded message Alice sends containing ruo and \T* \ is corrupted. In this case. Bob will send random bits 
for the remainder of the round. This ensures two things. First, whenever Alice is listening for a fingerprint 
from Bob, Bob will either be sending a fingerprint or random bits. Thus, with high probability, the adversary 
will be unable to forge an encoding of a fake fingerprint by flipping bits. Second, Bob’s error count updates 
at the same time as Alice’s. 

The other key way in which adversarial bit flips can alter the ideal scenario is as follows. The adversary 
flips bits in such a way that the encoded fingerprint, that Bob sends to Alice, fails to be a valid fingerprint 
for Alice’s tentative transcript. In this case, Alice rewinds her tentative transcript, increments her error count, 
and updates her block size. 

Handling Termination In previous work, since e and L' are known, both parties know when to terminate 
(or leave the protocol), and can do so at the same time. However, since we know neither parameter, 
termination is now more challenging. 

In our algorithm, tt is augmented with a certain number of additional bits that Alice sends to Bob. Each 
of these bits is set independently and uniformly at random by Alice. Alice terminates when her verified 
transcript is of length greater than L. Bob terminates when he receives a value where all bits are the 
same. This conditions ensures that 1) Bob is very unlikely to terminate before Alice; and 2) Bob terminates 
soon after Alice, unless the adversary pays a significant cost to delay this. 

3 Bounded T - Analysis 

We now prove that with high probability. Algorithm 1 correctly simulates tt when T is promised to be 
0{L/ log L). Before proceeding to our proof, we define two bad events. 

Hash Collision. Either Alice or Bob incorrectly validates a fingerprint and updates their verified 
transcript to include bits not in tt. 

Failure of AMD Codes The adversary corrupts an encoded message into the encoding or a different 
message. Or the encoding of some message, after possible adversary corruption, equals a bit string of 
all zeroes or all ones. 

Throughout this section, we will assume neither event occurs. At the end of this section, we will show 
that the probability that either even occurs is polynomially small in L. 

Lemma 3.1. Each player’s round size is always a power of two. 

Proof. This is immediate from the fact that the round size starts out as a power of 2 and the fact that each 
time it decreases, it decreases by a factor of 2. □ 

Lemma 3.2. ma is monotonically increasing, and henee Aliee’s round size never increases. 

Proof. This follows immediately from the fact that the only time nia changes is on LineHSlof Alice’s protocol, 
when it is incremented by 1. □ 

Lemma 3.3. Algorithm\^has the following properties: 

1. When Bob starts a round, Alice starts a round. 
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2. mi, < ma at all times that Alice remains in the protocol. 

Proof. This follows by induction on ma. 

Base Case We first show that the lemma holds while ma = 0. Note that mi, can only increase after Bob 
has spent a round sending random bits. During such a round, Alice will increment ma before Bob increments 
mi,. Next, note that while mt = Too = 0, Alice and Bob both have the same round sizes, and so when Bob 
starts a round, Alice starts a round. 

Inductive Step Consider the channel step, t, at which Alice increases ma to some value j > 0. We must 
show that the lemma statement holds throughout the time while ma = j. By the inductive hypothesis, up 
to time t, mb < ma, and when Bob started a round, Alice started a round. There are two cases for the value 
of mb at the end of channel step t. 

Case 1 mb < j. In this case. Bob must not have received Ta at the beginning of the round he is in at 
channel step t. Hence, Bob transmits random bits during this entire round. Bob’s round size is an integer 
multiple of Alice’s round size (by Lemma 13.11) . Thus, Bob will transmit random bits throughout Alice’s 
round begun at channel step t + 1. So Alice will not receive a matching fingerprint at the end of the round 
she began at step t + 1, and so she will increment ma before Bob increments mb. This will happen before 
Bob completes the round he is in at time t, so both conditions of the lemma hold while ma = j. 

Case 2 mb = j. Note that mb can only increase after Bob has spent a round sending random bits. During 
such a round, Alice will increment ma before Bob increments mb. Thus, while ma = j, mb = j. Next, note 
that, if mb = ma = j at step t, then Alice and Bob both ended their rounds at step t. Hence, during the 
time that ma = j, when Bob starts a round, Alice starts a round. □ 

The following corollaries are immediate from the above lemma. 

Corollary 3.4. When Bob ends a round, Alice ends a round. 

Corollary 3.5. Bob’s rounds are at least as large as Alice’s rounds. 

The following corollary holds from the above lemma and the fact that Bob’s round sizes are at least as 
large as Alice’s. 

Corollary 3.6. While both parties remain in the protocol, whenever Bob is listening for a Ta, Alice is 

sending it. Also, whenever Alice is listening for Tb, either Bob is sending it, or Bob is sending random hits. 

The following lemma also follows from Lemma [3.31 

Lemma 3.7. LetTZ be one of Alice’s rounds which starts and ends at the same time as one of Bob’s rounds. 
Then, at the end of TZ, either ma — mb is the same as it was at the beginning of TZ or it equals 0 or 1. 

Proof. If Ta is corrupted at the beginning of TZ, Bob transmits random bits for the rest of TZ, and both Alice 
and Bob increment their error counts at the end, so ma — mb stays the same. 

If J^a is not corrupted at the beginning of TZ, then Bob sets mb to ma at the beginning of TZ, so at the 
end, ma — mb < 1. By Lemma [23] (2), ma — mb >0. □ 

3.1 Phases 

We now give some definitions. 

Definition 3.8. We define phase j to be all of Alice’s rounds of size Ro/2T. 

Definition 3.9. We define A^-, for all j > 0, to be the value ma — mb at the end of phase j. 
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Note that at the beginning of phase j, Alice’s error count is 4-1 — 1. We now give a few lemmas about 
phases. 

Lemma 3.10. For any j > 0, phase j contains at least 3Aj_i of Alice’s rounds, 

Proof. Consider any j > 0. At the beginning of phase j, nia = 4-^ — 1. Also, at the beginning of phase j, 
by Lemma [3.31 (2), mb < TOq. Hence, 0 < Aj_i < 4-1 — 1. Note that ma increases by at most 1 in each of 
Alice’s rounds. Thus, 3Aj_i rounds after the beginning of phase j, the value of ma is at most: 


4^ - 1 + 3Aj_i < 4^ - 1 + 3(4^' - 1) 
< 4 -’+^ - 1 


Thus after 3Aj_i rounds, ma is not large enough for Alice to advance to phase j + 1. □ 

Progressive, Corrupted and Wasted Rounds Let TZ be one of Alice’s rounds. We call TZ progressive 
if Alice does not update her error count during the round, or equivalently if her verified transcript length 
increases. We call TZ corrupted if the adversary flipped at least one bit in the round. We call TZ wasted if 
it is neither progressive nor corrupted. We want to bound the number of wasted rounds since this number 
represents amount by which ma is potentially an overestimate of T. 

We note that wasted rounds occur only when Vb > ra- In this case. Bob is not listening when Alice sends 
him iFa- As a result. Bob does not send Alice a valid fingerprint at the end of her round, and so her verified 
transcript does not increase, even though the adversary has not flipped any bits. 

The following lemma bounds the number of wasted rounds in a phase, and gives other critical properties. 

Lemma 3.11. Suppose at the beginning of phase j, j > 0, Bob is at the start of a round and his round size 
is at most i?o/2'l“^. Then 

1. There are at most Aj_i wasted rounds in phase j; 

2. Aj G {0,l,2Aj_i}; and 

3. Bob ends a round at the end of phase j. 

Proof. If Bob’s round size initially less than Rq/2^~^, then it must equal Ro/2,^ in order to be a power of 
two. Hence Alice and Bob will have rounds that are the same size for the entire phase, and the lemma holds 
trivially. 

We now consider the harder case where Bob’s round size equals Rof2^~^. 

By Definition 13.81 Alice has round size Roj^^ throughout phase j. By Lemma 15751 121. Bob’s round size is 
always greater than or equal to Alice’s round size. Thus, as soon as I) Bob receives Pa in one of his rounds 
in phase j, or 2) Bob sets mb equal to Alice’s error count at the beginning of phase j, then Bob’s round size 
will be Ro/2^ for the remainder of the phase. Finally, by Lemma 15751 111, from that point on, Alice and Bob 
will begin, and thus end, all rounds at the same time. 

Now consider Bob’s rounds in phase j. Assume the adversary corrupts Pa in Bob’s rounds 1 through i 
for some value * > 0, and then the adversary does not corrupt Pa in Bob’s round i + 1. We consider two 
cases. 

Case 1: i < Aj_i Each of the first i rounds of Bob spans two rounds of Alice. By Lemma 13.101 these 
rounds are all contained in phase j. Consider each pair of Alice’s rounds spanned by one of Bob’s rounds. 
The first round in the pair is corrupted, but during the second, Bob is transmitting random bits and Alice 
will not receive a fingerprint from him. Thus, this round is wasted. Hence, there are i wasted rounds. 

In round 1 + 1, Bob synchronizes his round size with Alice since he receives Pa. Thus, there are no more 
wasted rounds. Applying Lemma |3.71 for the remaining rounds of the phase, we see that at the end of the 
phase, ma — mb = Aj is either 0 or 1. 




Case 2: i > Aj_i Bob increases rrib by 1 in each of his first i rounds. Note that at the beginning of phase 
j, Alice’s error count is 4-1 — 1. Thus, after Bob’s first i rounds, mb = (4-1 — 1) — Aj_i + i. Hence when 
i = Aj_i, mb = (4-^ — 1). At that time. Bob sets his round size to Rq/2^, and so Alice and Bob will have the 
same round sizes, and will hence begin and end all rounds at the same step, for the rest of phase j. Thus, 
there are no more wasted rounds. Note that in this case, at Bob’s Aj_i round, ma — mb will be 2Aj_i. 
Applying Lemma 15771 for the remaining rounds of the phase, we see that Aj = 2Aj_i, or Aj is 0 or 1. □ 

Lemma 3.12. For every j > 0: 

1. There are at most wasted rounds in phase j; 

2. Aj < 2-1; and 

3. Bob ends a round at the end of phase j. 

Proof. We prove this by induction on j. 

Base Case At the beginning of phase 0, Bob is at the start of a round and his round size is Rq. Thus, by 
Lemma [3. Ill there are 0 wasted rounds in phase 0; Aq < 1; and Bob ends a round at the end of phase 0. 

Inductive Step Consider some j > 0. By the inductive hypothesis, Aj-i < 2^~^. At the beginning of 
phasej, mb = m„-Aj_i < (4J-1 )_a^_i, so that r-b = i?o/ 2 L'°sAi+™i.)l < i?o/2Li°S4 (4"-A,-i)J 
The last line holds since 0 < Aj_i < 2^~^. 

Also, by the inductive hypothesis. Bob ended a round at the end of phase j — 1, and so is starting a round 
at the beginning of phase j. Hence, we can apply Lemma 13.111 to phase j. From this lemma, it follows that 
1) the number of wasted rounds in phase j is at most 2^~^; 2) Aj < 2Aj-i < 2-1; and 3) Bob ends a round 
at the end of phase j. □ 

Note from the above lemma that Bob’s rounds are never more than double the size of Alice’s rounds. 
The following lemma sums up what we now know about Alice and Bob’s rounds. 

Lemma 3.13. The following are always true. 

1. Bob’s round size is either equal to Alice’s round size or double Alice’s round size. 

2. If Bob’s round size equals Alice’s round size, then when Alice starts a round, Bob starts a round. 

3. If Bob’s round size is twice Alice’s round size, then when Alice starts a round, either Bob starts a 
round, or Bob is in the middle of a round. 

Proof. The lemma follows from Corollary 13.51 Lemma and Lemma [3. 121 □ 

3.2 Correctness and Termination 

Lemma 3.14. It is always the case that Tf =4 where tt is the padded transcript. 

Proof. This holds by Lemma 13.251 and Lemma 13.261 and the fact that Alice never adds any string to Tf that 
is not verified by an encoded fingerprint from Bob. □ 

Lemma 3.15. At the beginning and end of each of Alice’s rounds, 

rc <t: =Ta4Tb-, 

where at most one of the inequalities is strict. Moreover, at the end of a channel step in which Bob receives 
Pa correctly, 

TC=rb = T:. 

Proof. We prove this by induction on Alice’s round number. 
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Base Case At the beginning of the algorithm, all transcripts are null, so = Ta = Ta = %■ Moreover 
if Bob receives J^a correctly in this round, then T/,* = % = ■ 

Inductive Step We must show that the lemma holds for the j-th round. By the inductive hypothesis, at 
the end of the j — 1-th round, 

V ^ r: = ra4 Tb, 

with at most one of the inequalities being strict. Clearly the statement about the inequalities will thus hold 
at the beginning of the j-th round. 

Alice’s j-th round starts with Alice sending Bob Jj,. 

Case 1: Bob does not receive Jjj If Bob does not receive Ta, then either 1) he was listening and it was 
corrupted; or 2) he was not listening for it. If he was listening and Ta was corrupted, then Bob transmits 
random bits for the remainder of his round, which will be the remainder of Alice’s round by Lemma |3.131 
By the same lemma, if Bob was not listening, then he must be in the middle of a round that is twice as large 
as Alice’s. In either case. Bob transmits random bits for the remainder of Alice’s j-th round. 

Thus, Alice does not receive a matching fingerprint from Bob at the end of her j-th round. Thus, at the 
end of her round, 7^ ^ 7j* and % and 7^* are unchanged. Hence, it continues to hold that: 

V 4 Ta* =Ta4 Tt; 

and at most one of the inequalities is strict. 

Case 2: Bob receives Ta If Bob receives Ta, then he learns the length of 7j* and also Alice’s round size. 
By the inductive hypothesis, either 7j* = TJ,* or 7j* = Tj,. Based on the length of T^, Bob either updates 7^* 
or rewinds %, so that =Tb = T* ■ This establishes the second part of the lemma for the j-th round. 

Next Alice and Bob continue their rounds which are the same size. If Alice receives a correct fingerprint 
from Bob at the end of her round, then the following holds: 

V 4 Ta* =Ta= Tb. 

If Alice does not receive a correct fingerprint from Bob at the end of her round, then the following holds: 

V = Ta* =Ta4 Tb. 

In either case, the first part of the lemma statement holds at the end of Alice’s j-th round. □ 

Lemma 3.16. Bob leaves after Alice. When Alice leaves, \Tif\ > L. 

Proof. Bob leaves only when he receives an T'^ that is all zeroes or all ones. By Lemma 13.261 T'^ is never 
such a string, and the adversary cannot convert Ta to such a string by bit flipping. It follows that Bob 
receives such a string only after Alice has left. 

Alice leaves only when 1) she has received an encoded fingerprint from Bob; and 2) |7j*| > L. If Alice 
receives a correctly encoded fingerprint from Bob, then by Lemma 13.261 Bob must have sent one, and hence 
Bob must be in a round where he received Ta correctly. By Lemma l3.I51 at that channel step, Tff = Tt = 7j*. 
Hence at the step when Alice receives the encoded fingerprint from Bob, T/f =Ta . Thus, when Alice leaves, 
\Tb*\>L. □ 

Lemma 3.17. When either party terminates, their output is correct. 

Proof. The proof follows from Lemmas 13.141 ISTSl and l3.16l and the fact that when either party terminates, 
they output the first L bits of their verified transcript. □ 
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3.3 Cost 


Lemma 3.18. After Alice leaves, the adversary must flip at least one bit for each of Bob’s rounds that does 
not result in Bob leaving. 

Proof. After Alice has left, there is silence on the channel in the steps when Bob is listening for Alice’s 
encoded message. This means that if there is no bit flipping by the adversary, the channel transmits the 
same bit in every channel step, causing Bob to read a string of all zeroes or all ones, and terminate. Thus, 
the adversary must flip at least one bit each time Bob is listening for a codeword. □ 

Lemma 3.19. There are at most 2^ — 1 wasted rounds prior to the end of phase j, for all j > 0. 

Proof. This follows trivially by repeated applications of Lemma [3.121 IT). □ 

Throughout this section, we assume the worst case, that the adversary corrupts at most one bit per 
corrupted round. 

Lemma 3.20. At all times, ma < T + Vt. In particular, there are no more than y/T wasted rounds. 

Proof. By way of contradiction, assume TOq > T + y/T at some step, in some phase j, j > 0. Then the 
number of wasted rounds at this step must be greater than y/T. But by Lemma l3.191 the number of wasted 
rounds at the end of phase j is no more than 2^ — 1. Thus, we have y/T < 2-1 — 1, or T < (2^ — 1)^. 

But ma is no larger than the number of corrupted rounds plus the number of wasted rounds. By 
the above paragraph, T < (2^ — 1)^ and the number of wasted rounds is no more than 2^ — 1. Thus 
ma < (2l — 1)^ + (2-1 — 1). Moreover, we know that in phase j, ma > 4-1 — 1. Thus, we know 

4^ - 1 < (2^ - 1)2 + (2^' - 1). 

Simplifying, we get 2-^ < 1, which is a contradiction for any j > 0. □ 

Let m* denote Alice’s error count when she leaves the algorithm, and denote Bob’s error count when 
he himself leaves the algorithm. 

Lemma 3.21. Alice terminates in at most L + 0{\JLF{1 + to*)) steps. 

Proof. We first calculate the cost of the rounds that are not progressive for Alice. The number of non¬ 
progressive rounds that she has executed is m*. Her cost for these rounds is at most the following. 


E 


Rq 

2d°g4 d 


<2i?oE 

i=l 


1 

2log4 i 


= 2Ro^ 
2=1 


1 

71 


< 2Ro / 

Jo 

= 4i?o\A< 


1 

71 


In every progressive round, except possibly the last, Alice’s block size is at least Thus 

in all but possibly the last progressive round, Alice always adds bits to her verified transcript at a rate of at 
least 


- 2F 

i?o2-i°S4(i+’"^) 
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Thus, the total number of bits Alices sends in all but the last progressive round is no more than 

■ i?o2-'°S4(i+™:) - 2F' 

We will make use of the inequality 


-- <1 + 25 for 0 < 5 < 1/2 

1 — 0 

and let S = Note that 5 < 1/2, since Alice’s round size is always at least 4+. 

Then we have that the total number of bits sent by Alice in all but the last progressive round is no more 
than 


i?o2-'°g4(i+™S) ■ 

Adding in the last progressive round, we get that the total number of bits sent by Alice in progressive 
rounds is no more than 


L + 


ALF 

i?o2-'°84(i+™:) 


+ Ao2-^°84(i+0. 


Putting this together with the number of bits send in non-progressive rounds, we have that the total 
number of bits send by Alice is no more than 


L + 4i?o v m* + 


4LF 


i?o2-'°S4(i+"4i) 


+ <L + 5i?o\/^ + 4 VIf(2'°S4(i+0) 


< L + lOi/LAm* + 4a/LF(1 + m*) 

< L + 14a/LA(1 + m*) 


□ 


Lemma 3.22. Bob terminates in at most L + 14y^L_F(l + m*) + steps. 

Proof. Since Bob never leaves before Alice, Bob’s cost must be at least as much as Alice’s. We now compute 
Bob’s additional cost. 

At the time of Alice’s departure, ra = i?o/2L^°S‘‘(^+™“^J. By Lemma Km rb < 2Ao/2Li°g4(i+™:)J. Let 
mj, denote Bob’s error count when Alice leaves the algorithm. Then 1 + m'j, > 4L*°g4(i+™a)J-i. Bob’s final 
error count is m^. Thus, Bob’s additional cost is at most 


m*-l 


Rn 


2Liog4(i+dl 


< 2Rq 


2iogit 

i=l 


riLb 

= 2Ao^ 


< 4Aov^ 

< Sy/LFmf 


Combining this with Alice’s cost gives the result. 

Lemma 3.23. The algorithm ends in at most 12L time steps. 


□ 
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Proof. By Lemma [3.221 Bob terminates in at most L + 14-^/ LF{1 + m*) + steps. Moreover, m* 

and ml are no more than Rq/AF^ — 1. Thus, the algorithm terminates in at most the following number of 
steps. 


/ 

L + 14a/ LF{1 + m*) + 8 a/ LFml < L + 22y ^^ 2 ° 


I 

= L + 22\ — 


□ 


Lemma 3.24. IfT < ^ — 1 then both players terminate with the eorreet output in at most L+0{\JLFlT + 1)) 
steps. 


Proof. Let Ta denote the number of bits flipped by the adversary while Alice is still in the protocol, and Tj, 
the bits flipped after Alice has left. Then Ta + Tb = T. 

By Lemma [3. 201 m* < Ta + 'JTI. By Lemmas 13.31 and 13. 181 ml < ml + Tb. Since Ta + Tb = T it follows 
that 

<<T + Vt<2T<4-2<^-1 


and similarly 


m. < 


3 . 

4F2 


- 1 


Thus, Alice and Bob will both terminate by outputting the bits of tt by Lemma [3.171 
Plugging m* < 2T and ml < 3T into Lemma 13.221 gives the total number of steps required. 


□ 


Lemma 3.25. With high probability in L, there are no hash collisions. 

Proof. By Lemma [3.231 the algorithm ends in at most 12L steps. Also, there are at least 4F = 0(logL) 
steps in a round. Thus, the algorithm has at most 0{L\ogL) rounds. Each round has one fingerprint. By 
Theorem O and the setting of our fingerprint sizes, each fingerprint fails with probability at most XjL?. 
Thus, a simple union bound gives the result. □ 


Lemma 3.26. With high probability in L, any hit flipping of a AMD encoded message is detected. 

Proof. We noted in the previous lemma that the algorithm terminates in 0{L log L) rounds. Each round has 
two AMD encoded messages. By Theorem 12.21 and the setting of our encoding sizes, each AMD encoding 
fails with probability at most 1/L^. Again, a union bound gives the result. □ 


4 Unbounded T - Algorithm 

Algorithm 1 uses fingerprints of a fixed size, F in order to check its transcripts. Each of these has a 1/L^ 
chance to fail due to a hash collision. Since the algorithm only computes about 0{L/ log L) fingerprints, 
a union bound tells us that with high probability the algorithm succeeds, below its threshold value of T. 
When T is large, many more checks may need to be made, and eventually there will be a good chance that 
there is a hash collision. Since the algorithm cannot really recover from a hash collision, we cannot afford 
this. On the other hand, we cannot simply start out with larger fingerprints, both because this would be too 
expensive if T turned out to be small, and also because even bigger fingerprints are still of a fixed size and 
eventually become unreliable. A natural solution is is to allow the fingerprints to grow, adapting the size to 
the value of T seen so far, and this is indeed what we will do. 


13 





















4.1 Helper Functions 

As in Algorithm 1, we make black-box use of the Naor and Naor hash family, as well as AMD codes to 
protect information. However, in Iteration j we need the failure probabilities for both these primitives to be 
\/{2^L^). Thus, we want the fingerprint size to grow with j. We will denote the hash function which has a 
collision probability of at most 1/(2^L^) by hj. It is easy to see that 0{j) extra bits are required for this, 
so that the fingerprint size is 0{j + logi). 

Algorithm 1 works well when the adversary can only afford to flip a fraction of a bit per block of the 
algorithm. In this case, it doesn’t matter that he can corrupt an entire round of the protocol by flipping a 
single bit. However, when the adversary has a larger budget, it becomes crucial to force him to pay a larger 
price to corrupt a round. To this end, we wrap each fingerprint and protocol bit in a linear error-correcting 
code. 

To be concrete, we will use a repetition code for each protocol bit, and a Reed-Solomon code m to 
provide the already AMD-encoded messages with a degree of error correction. This enables us to encode 
a message so that it can be recovered even if the adversary corrupts a third of the bits. We will denote 
the encoding and decoding functions by ecEnc and ecDec respectively. The following theorem, a slight 
restatement from m, gives the properties of these functions. 

Theorem 4.1. ^19f There is a constant c > 0 such that for any message m, \ ecEnc(m)| < c|m|. Moreover, 
if m' differs from ecEnc(m) in at most one-third of its bits, then ecDec(m') = m. 

Finally, we observe that the linearity of ecEnc and ecDec ensure that when the error correction is composed 
with the AMD code, the resulting code has the following properties: 

1. If at most a third of the bits of the message are flipped, then the original message can be uniquely 
reconstructed by rounding to the nearest codeword in the range of ecEnc. 

2. Even if an arbitrary set of bits is flipped, the probability of the change not being recognized is at most 
S, i.e. the same guarantee as the AMD codes. 

This is because ecDec is linear, so when noise rj is added by the adversary to the codeword x, effectively 
what happens is the decoding function ecDec(a; + ??) = ecDec(a;) -I- ecDec(77) = m-\- D{r]), where m is the 
AMD-encoded message. But now ecDec(77) is an obliviously selected string added to the AMD-encoded 
codeword. 

4.2 Algorithm 

Let Ni := \8L/F~\ be the number of rounds in Iteration I. Let Nj := 2^“^iVi be the number of rounds in 
Iteration j > 1. Let Fj = 2jdj -\- F be the size of the hngerprints in Iteration j, where /3 is the constant from 
the Naor and Naor hash function. Thus the hash collision probability of a single hngerprint is 2~^M~^. Each 
round of the iteration begins with Alice sending Bob a (l/3)-error-corrected, AMD-encoded synchronization 
message of length cFj, followed by simulation of the protocol for Fj channel steps, followed by Bob sending 
Alice a (l/3)-error-corrected, AMD-encoded fingerprint of length cFj. Here c is the constant factor blowup 
we get from the ECC and AMD encodings, but for technical reasons we will further ensure that it is at least 
5. Thus, the total round length is (2c-I- l)Fj > HE, . We will let a equal (2c-|- 1). 

As in Algorithm 1, Alice will decide whether to update her verified transcript and advance to the next 
block of TT or to rewind to redo the current block, based on whether she receives a fingerprint from Bob that 
matches the fingerprint of her own transcript. Similarly, Bob will decide whether to join in the simulation 
of TT or to transmit random bits until the end of the round based on receiving or failing to receive Alice’s 
synchronization message at the round’s start. Where the round differs from a round in Algorithm 1, is in 
the actual simulation of tt. For the whole iteration, a fixed number of bits of tt will be simulated per round. 

^ By abuse of notation, we will not subscript all the other helper functions with j ; it should be clear from context that the 
version of the function used is the one that operates on strings of the correct size and has the correct failure probability 
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Algorithm 2: Interactive Communication; 

Iteration j 



ALICE’S PROTOCOL 


BOB’S PROTOCOL 


Parameters : Nj , Fj , pj ; 


Paraimeters : Nj , Fj , pj ; 

1 

for i = 1 to Nj do 

1 

for i = 1 to Nj do 

2 

Fa ecEnc(amdEnc( To* )); 

2 

if \Fff\ > L then 

3 

Send Fa] 

3 

Wait cFj channel steps; 

4 

if \T*\ < L then 

4 

Receive Fj bits; 

5 

for the next [Fj /pj\ bits of tt do 

5 

if fewer than Fj /3 alternations in the 

6 

if sender then 


received string then 

7 

Send next bit pj times; 

6 

Output 7j,*[0 : L] and 

8 

Append to Fa] 


Terminate; 

9 

else 

7 

else 

10 

Receive pj bits; 

8 

Fb ecEnc(amdEnc(hj(7jJ*))); 

11 

Append majority bit to Fa] 

9 

Send Fb] 


end 

10 

else 

12 

else 

11 

Receive Alice’s cFj-hii message J"' ; 

13 

Transmit Fj random bits. 

12 

if IsCodeword(ecDec(J^')) then 

14 

Receive Bob’s cFj-hit message, Fj^] 

13 

£ ^ amdDec(ecDec(J'')); 

15 

if IsCodeword(J^j) then 

14 

if £ > \Fb then 

16 

if \Ff 1 > L then 

15 

V ^ Tb] 

17 

Output Ff[0 : L] and 

16 

else 


Terminate; 

17 

Tb^Fb*] 

18 

F t— amdDec(J^j); 

18 

for the next \_Fj/pj\ bits of n do 

19 

if MatchesFP(J^, 7ji) then 

19 

if sender then 


// successful round; 

20 

Send next bit pj times; 

20 

Ta* ^ Fa] 

21 

Append to Fb] 

21 

else 

22 

else 


// round failed; 

23 

Receive pj bits; 

22 

'Ta -^Ff] 

24 

Append majority bit to Fb] 


end 


end 



25 

Fb •<— ecEnc(amdEnc(hj(7h))); 



26 

Send Fb] 



27 

else 



28 

Transmit (c + T)Fj random bits. 




end 
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Algorithm 3: Interactive Communication 

ALICE’S PROTOCOL BOB’S PROTOCOL 


/ / Iteration 0; 

1 Run Alice’s protocol from Alg 1 ; 

2 if not terminated then 

3 transmit random bits until channel step 

12L; 

// End of Iteration 0; 

4 j 1; 

5 while still present do 

/ / Iteration j; 

6 Fj ^/3{j + logL)- 

7 Pj 2 ^\^~\ A Fj] 

8 Aj-^ 2^-1[8L/E]; 

9 Run Alice’s protocol from Algorithm 2, 

with parameters Nj , Fj, pj ; 

/ / End of Iteration j ; 

10 j ^ j + 1; 

end 


/ / Iteration 0; 

1 Run Bob’s protocol from Alg 1 ; 

2 if not terminated then 

3 transmit random bits until channel step 

12L; 

// End of Iteration 0; 

4 j A— 1; 

5 while still present do 

// Iteration j; 

6 -Fj ^/3(j+ logL); 

7 p^^2^\^-]AFf, 

8 Aj-^ 21-1[8L/E]; 

9 Run Bob’s protocol from Algorithm 2, with 

parameters Nj , Fj , ; 

// End of Iteration j; 

10 j ^ j + 1; 

end 


Each bit will be repeated pj = 2^~^\Fj/F~\ A Ej times, d The receiving party will use majority filtering to 
infer the transmitted bit. Since Fj time steps in the round are allocated to protocol simulation, this allows 
[Fj/pj\ bits of TT to be simulated. 

Notice that the number of rounds doubles from one iteration to the next. Also, the number of repetitions 
of each simulated bit also roughly doubles between iterations, at least until it hits its cap, which is a constant 
fraction of the length of the round. This is the so-called doubling trick, (though in our case perhaps it should 
be quadrupling) which results in the overall cost being dominated by the cost in the last (or second to last) 
iteration. 


5 Unbounded T - Analysis 

We now analyze the main algorithm presented in Section |4l As in Section [3 we begin by noting that a 
hash collision or an AMD code failure will cause the algorithm to fail. Additionally, the algorithm could fail 
during the padding rounds, if the adversary happens to flip bits in such a way as to cause Alice’s random 
bits to look like silence, resulting in Bob’s premature departure. 

In Section 1^751 we will show that with high probability each of these events does not occur. Meanwhile, 
throughout this section we will assume without further mention that we are in the good event where none 
of the undesirable events occur. 

5.1 Alice and Bob are both present 

Lemma 5.1. For every j > I, Alice and Boh are always synchronized. That is, they begin the iteration as 
well as every round therein at the same time. 

Proof. Alice and Bob synchronize themselves after Iteration 0 by both starting Iteration 1 at channel step 
12L -|- I. Thereafter, for each j > I, they have the same round sizes aFj and number of rounds Nj in 
Iteration j, so that they remain synchronized. □ 

®We remind the reader that x Ay denotes the minimum of x and y, while x\/ y denotes their maximum. 
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We will call a round corrupted if enough bits are flipped in the round that the bits of tt being simulated 
cannot be recovered or verified by Alice. We will call it uncorrupted or progressive if it is not corrupted in 
the above sense. 


Lemma 5.2. Each round is either corrupted at a cost of at least Pj 12 to the adversary or results in \_Fj/pj\ 
bits of progress in tt. 

Proof. Since each simulated protocol bit is sent pj times, with majority filtering at the receiving end, it costs 
the adversary pj/2 to corrupt the repetition-encoded bit. It costs the adversary at least cFjj3 > pjl2 to 
corrupt Alice’s synchronization message or Bob’s fingerprint since these are protected by error-correction. 
Thus it costs the adversary at least pj /2 to corrupt the round. Otherwise, since there are Fj steps allocated 
to sending protocol bits, and each one is repeated pj times, the protocol is successfully simulated for 
bits. □ 


The following lemma is the equivalent of Lemmas 13.141 to [3.171 for Iteration j. Its proof is nearly identical 
to the proofs in Section r3.2l findeed. it is simpler, since Iteration j does not have the synchronization problems 
faced by Algorithm 1) and we omit it. 

Lemma 5.3. Iteration j has the following properties: 

1. It is always the case that =4 tt, where tt is the padded transcript. 

2. At the beginning and end of each round, 

r: ^ t: = Ta4 %■, 

where at most one of the inegualities is strict. Moreover, at the end of a channel step in which Bob 
receives Ta correctly, 

v = % = t:. 

3. Bob leaves after Alice. When Alice leaves, |7^*| > L. 

4 . When either party terminates, their output is correct. 

Lemma 5.4. There are at most Nj/i uncorrupted rounds in Iteration j 

Proof. Since each uncorrupted round results in [Tj/pjJ bits of progress in tt, \Lpj/Fj~\ rounds are sufficient 
for Alice’s transcript length to exceed L. One additional uncorrupted round is sufficient for Bob to catch up 
to Alice if necessary, using her synchronization message, and for Alice to infer from Bob’s fingerprint that 
Bob’s transcript length has exceeded F, resulting in Alice’s departure. After that, if a round is uncorrupted, 
then Bob will perceive silence on the channel, resulting in Bob’s departure. Thus \Lpj/Fj~\ +2 uncorrupted 
rounds are enough for both parties to terminate. Finally note that for all j > 1, 


Fj - 


2i-i 

F 


A 1 < 


2J-1 

F 


It follows that (for sufficiently large L) there are at most 2M/F = Nj/A uncorrupted rounds in Iteration 
3- □ 


The following corollary is immediate. 

Corollary 5.5. If j is not the last iteration, then at least 3/4 of the rounds are corrupted. 
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Although the adversary can flip any number of bits in a round, we will only charge him the minimum 
number of bit-flips required for the outcome we see in the round, be., we will charge him 0 for uncorrupted 
rounds and pj /2 for corrupted rounds. Let Tj denote the number of corruptions charged to the adversary in 
Iteration j. Clearly, for j > 0 

'^j — 

Also, we know from Section [5] that if the algorithm does not end in Iteration 0, then Tq > L/8F. In this 
case, we will generously only charge the adversary that amount. In other words, if Iteration 1 is reached, 
either by both Alice and Bob, or by Bob alone, Tq = \L/8F~\. 

Lemma 5.6. If j is not the last iteration then Tj > ^Njpj 

Proof. This follows from Corollary 15.51 since it costs the adversary at least Pj/2 to corrupt a round. □ 
Lemma 5.7. If j is not the last iteration then 

8T^-il2 < Tj < 64Tj_i 


Proof. If j = 1 

Q or 

Ti > -IViPi >jr> 24To > 3Tq 

and 

Ti < Nipi/2 < — = 64ro. 

r 

If j > 1, then by o and Lemma 15.61 

3 3NjPj/8 ^ Tj ^ Njpj/2 ^ 

2 Nj-ipj-i/2 Tj-i 3Nj-ipj-i/8 

since = Nj/2 and pj-i < pj < 4pj_i. □ 

Lemma 5.8. The cost to either player due to uncorrupted rounds in Iteration j < logT’ is at most 

la\J LTj-iF 


Proof. Each uncorrupted round costs the players aFj. Since there are at most Nj/A uncorrupted rounds, 
the resulting cost is no more than ^NjFj. Since j < logF, pj = 2^~^\Fj/F~\ and Fj < 2F. Combining 
these we have 


so that 



F, < F^2^-^p, 

VI 

a 


< 

aiV,_iF^23-^p,_i 

< 

aFv/fV,_i23-^-V^ 

< 

aF^/2Ni^8Tj/3 

< 

asJl28LTjF/3 

< 

7ay/LT)F. 


□ 


Lemma 5.9. If j > logF, the cost to 


either player due to uncorrupted rounds in Iteration j is at most 


3aTj-i 


18 














Proof. When j > logF, Fj = pj and by Lemma 

(X oc So; 

—NjFj = —NjPj < aNj-ipj-i < —Tj-i < 3aTj_i. □ 

Lemma 5.10. The cost to the players from corrupted rounds in Iteration j is at most Aa^2LTjF if j < log F 
and 2aTj otherwise. 

Proof. Suppose there are k corrupted rounds. Then the cost to the players is kaFj, while the adversary’s 
cost is kpj/2. If j > logF + 1, Fj = pj and we easily see that the players’ cost is at most 2aT. When 
j < log F, since k < Nj, 

kaFj = kpjF2^~t yjNjFj 

< a^jTjF2‘^-i^/23NiF 

< 2ayJSLTjF. □ 

Collecting the various costs and noting that Tj < 64Tj_i, we see that for a suitably large constant 7 , we 
have 

Lemma 5.11. The total cost to the players from Iteration j is at most LTj_i log L if j < logT’ and 
'yTj_i otherwise. 


5.2 Bob plays alone 


After Alice’s verified transcript has length at least L, in each subsequent round, she transmits her synchro¬ 
nization message, and then random bits to indicate her continued presence. Once Alice has left, there is 
silence on the channel. To corrupt this silence, the adversary must make it look like a corrupted synchroniza¬ 
tion message followed by random bits. Since a random string of length Fj has, on average, Fj/2 alternations 
of bits. Bob considers the string to represent silence if it has fewer than Fj /3 alternations. Thus, to corrupt 
such a round the adversary must pay at least Fj/3. 

Alice leaves when she has received word that Bob has a verified transcript of length at least L, and a 
single extra uncorrupted round thereafter will cause Bob to leave as well. Thus, if iteration j was not Bob’s 
last one, the adversary must have corrupted every round. If 1 < fc < A^j rounds are corrupted. Bob pays at 
most {k + l)aFj < 2kaFj and the adversary pays kFj/3. If /c = 0, we will generously account for the lone 
uncorrupted round from Iteration j in Iteration j — 1 by noting that a{Nj-iFj-i + Fj) < 2a{Nj-iFj-i) 
Finally a calculation identical to that in Lemma [5. lOI shows that Bob’s cost for an iteration j that he played 
alone is no more than 

7 \/LTj_i logL 


if j < log F and 


^Tj-i 


otherwise. 


5.3 Failure Probabilities 

In this section we bound the probabilities of the events that cause the algorithm to fail. 

Lemma 5.12. With high probability in L, there is no hash collision during Iteration j. 

Proof. The fingerprint size has been selected large enough that the probability of a hash collision for a single 
hash is ■ Since there are Nj = 2'^+^L/F rounds in Iteration j, by a union bound, the probability of a 

hash collision during the iteration is O f 
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Lemma 5.13. With high probability in L, any bit flipping of an AMD encoded message during Iteration j 
is detected. 

Proof. The size of the AMD encoding has been selected so that the probability of a failure to detect a single 
instance of tampering is Since there are two AMD encodings per round and 2^+^L/F rounds, again 

the probability that such a failure occurs during the iteration is O ^ 2 j ' l log l ) ■ 

Lemma 5.14. With high probability in L, Aliee leaves before Bob. 

Proof. Bob does not terminate until he thinks Alice has left, and he does not even start checking for whether 
she seems to have left until after his transcript has length at least L. Since Bob’s transcript lags behind 
that of Alice, this means that by the time Bob is checking for whether Alice has left, Alice either really has 
left, in which case it is fine for Bob to leave, or she is transmitting i.i.d. random bits in batches of length 
Tj, between hngerprints. Since the adversary cannot see the bits, any bit flips on his part do not alter the 
fact that the string received by Bob is a uniformly random bit string of length Fj. Such a string has Fj/2 
alternations (consecutive bits that differ) in expectation. Bob leaves if he sees fewer than Fj /3 alternations. 
If the string is random, the likelihood of Bob seeing fewer than Fj /3 alternations is, by Chernoff’s bound, at 
most provided /3 = 2 j 44 og l chosen suitably large. Since there are at most Nj chances 

in Iteration j for the adversary to try this attack, a union bound again shows that Bob leaves after Alice, 

except with probability O ^ 2 j l Lg l ) ■ ^ 

5.4 Putting everything together 

We will now prove our main theorem by putting all these costs together and calculating the total cost to 
either player and the failure probability of the algorithm. As before, T denotes the number of bits flipped 
by the adversary. 

Theorem 5.15. The algorithm succeeds with probability at least 1 — 1/LlogL. If it succeeds, then each 
player’s cost is at most 

L + 0{^/LT log L + T) 

Proof. First we note that for each j > 0 (Iteration 0 being Algorithm 1), the probability that Algorithm 3 
fails during iteration j is at most O ^ 2^3 L^og l ) ■ Thus the overall probability that it fails at all is 


( CO 

j=o 


then Lemma [3?24] already proves 
J > 1. For each j, let Cost{j) 

• Cost{0) = 12L < L + 71 /LTo log L where Tq = L/{8 F) 

• Cost{j) < logL if 1 < j < logF 

• Cost{j) < 'jTj^i if j > logF’ 


Thus, with high probability the algorithm succeeds. 

Let J denote the last iteration in which the player participates. If J = 0 
that the players’ total cost is at most L + L{T + 1) log L). Suppose 
denote the player’s cost from Iteration j. We know that 


log A 


= O 


1 


A log A 
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When J < logF, the player’s total cost is 
J J 


Cost{j) < Cost{0) + ^ Cost{j) 
j=o i=i 

J 

< X + 7 a/ LTq log L + 'jy'LTj-i log L 
i=i 

<L + 7 \/n^ (2/3)^-irj_i + E V (2/3)^-i-^Tj_i 

<L + 7x/^Tj_ilogL I ^(2/3)^-i + ^'x/IW| 


t=o 


< L 


a/37 


^3-^2 
= L + logL 


a/XTj.i logL 


< L + 7 ^ a/ LT logi 


On the other hand, TpogFj = ©(-^pog^l/^Liog^l) = ©(^log-^); so that logi = ©(Tpog^j) and 

for J > log F we have 

J [log FJ ,7 

^ Cos/j) < Cost(O) + ^ C'ost(j) + ^ Cost{j) 

7=0 i=l 7=LlogFJ+l 

,7 

< L + 'y '^LTpogFj logF + E 

7= [log FJ+l 
J 

<L + 7"rpogFJ+ E 7^7-1 

7= [log FJ+l 

<L + 0{T) 

Thus the players’ cost is always L + O L{T + 1) logL + Tj . □ 


6 Some Additional Remarks 

Need for Private Channels 

The following theorem justifies our assumption of private channels. 

Theorem 6.1. Consider any algorithm for interactive communication over a public channel that works with 
unknown T and always terminates in the noise-free case. Any such algorithm succeeds with probability at 
most 1/2. 

Proof. The adversary chooses some protocol f with transcript length L and some separate “corrupted” 
protocol Fc such that 1) fc has transcript length L and 2) Bob’s individual input for Fc is equivalent to his 
individual input for f. The goal of the adversary will be to convince Bob that f^ is the protocol, rather than 
F. Note that we can always choose some appropriate pair f and f^ meeting the above criteria. 

Assume that if Fc is the protocol and there is no noise on the channel, then Bob will output Fc with 
probability at least 1/2; if not, then the theorem is trivially true. Then, the adversary sets f to be the input 
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protocol. Next, the adversary simulates Alice in the case where her input protocol is tTc, and sets the bits 
received by Bob to be the bits that would be sent by Alice in such a case. 

Since the the algorithm eventually terminates, Bob will halt after some finite number of rounds, X. Using 
the above strategy. Bob will incorrectly output tt^ with probability at least 1/2 and the value of T will be 
no more than X. 

Note that in the above, we critically rely on the fact that T is unknown to Bob. □ 


Communication Rate Comparison. 

In Haeupler’s algorithm |14j . the noise rate e is known in advance and is used to design an algorithm with a 
communication rate of 1 — 0(-\/eloglog 1/e). Let L' be the length of tt'. Then in his algorithm, L' = 0{L), 
and so the adversary is restricted to flipping eL' = 0[L) bits. Thus, in his model, T and L' are always 0{L). 
In our model, the values of T and L' are not known in advance, and so both T and L' may be asymptotically 
larger than L. 

How do our results compare with [S]? As noted above, a direct comparison is only possible when 
T = 0{L). Restating our algorithm in terms of e, we have the following theorem. 

Theorem 6.2. If the adversary flips 0{L) bits and the noise rate is e then our algorithm guarantees a 
communication rate of 1 — O + Velog L^j . 

Proof. When T < L we also have T < yjL{T + 1) log L and our algorithm guarantees that for some 7 > 0, 

L' = L + 7 \/L(T + l)logL 


Let e = T!L' and R = L/L' he the effective noise and communication rates respectively. Then, 




> 1 - 


>1 — 7 
> 


L' -L 

U 

7VL(r+l)logL 

U 

\/L log L + y/LT log L 
L' 


1 - 7 + a/Rc logL^ 

> 1 - 7\/logL , 

where the last line follows because Xj'/lJ < I/a/L and R<1. 


□ 


We note that the additive term arises from the fact that because we do not know the error rate 

ahead of time, we cannot get a communication rate of 1 even when the effective error rate turns out to be 


zero. 


A Note on Fingerprint Size. 

A natural question is whether more powerful probabilistic techniques than union bound could enable us to 
use smaller hngerprints as done in [14]. The variability of block sizes poses a challenge to this approach 
since Alice and Bob must either agree on the current block size, or be able to recover from a disagreement 
by having Bob stay in the listening loop so he can receive Alice’s message. If their transcripts diverge 
by more than a constant number of blocks, it may be difficult to make such a recovery, and therefore it 
seems challenging to modify our algorithm to use smaller fingerprints. However, it is a direction for further 
investigation. 


22 


















A Lower Bound 


In this section, we prove a lower bound that demonstrates the near optimality of our upper bound by 
assuming the following conjecture by Haeupler holds M- We now restate Haeupler’s conjecture. 
Conjecture 1. (Haeupler \14^ , 2014) The maximal rate achievable by an interactive coding scheme for any 
binary error channel with random or oblivious errors is 1 — 0(y^) for a noise rate e —^ 0. This also holds 
for for fully adversarial binary error channels if the adversary is computationally bounded or if parties have 
access to shared randomness that is unknown to the channel. 

For the remainder of this section, we assume that Haeupler’s conjecture holds for any algorithm that 
succeed with high probability in L with an expected cost of at most L' under adversarial noise. For ease 
of exposition, we omit such statements in all of our claims below. By robust interactive communication, we 
mean interactive communication tolerates T errors. 

We begin by showing the near optimality with respect to the communication rate achieved: 

Theorem 6.3. Any algorithm for robust interactive communication must have L' = L + + VLT^ for 

some T > 1. 

Proof. Let T > 1 be any value such that T/L' = o(l). Then, Haeupler’s Conjecture applies and the expected 
total number of bits sent is L' > L/(l — d^/e) for some constant d > 0. Noting that 1/(1 — d^/e) > 1 + d^/e by 
the well-known sum of a geometric series, this implies that L' > Lf{l — dy/e) > {l + dy/e)L= {1 + dy/T/L')L 
since e = T jh'. 

This implies that LjL' < 1/(1 -b d\/TjL’'). Now observe that 1/(1 -|- x) = 1/(1 — (—x)) < 1 — x + 
for \x\ < 1, again by the sum of a geometric series. Plugging in dy^T/L' for x, we have 1/(1 + d^T/L') < 
l-dy/TjlJpd'^{T/L'). Therefore, L/V < l-dy^TJUPd'^{T/L') = l-d^/rJUil-dy^TJU) < 1-d'yTf^ 
for some d' > 0 depending only on d. 

We then derive: L < L'{1 — d' y/TJU) = L' — dWL'T. It follows that L' > L + dWL'T = L + H(-\/ LT) 
since L' > L. 

Finally, we show that V LT = 0(T -|- V LT). Assume that given any algorithm A for interactive com¬ 
putation, we create a new algorithm A’ that has expected value of L' = 0{L). To do this. A’ checks based 
on e and L whether or not Haeupler’s algorithm [14] will send fewer bits in expectation than A. If so it 
runs Haeupler’s algorithm. Note that the expected number of bits sent by A’ is no more than the expected 
number of bits sent by A. 

Note that T = eL' and for algorithm A’, the expected value of L' = 0{L). This implies that implies that 
T = eO{L) or T = 0{L). Since T < A, it holds that y/UT = 0(r + V LT) which completes the proof. □ 


7 Conclusion 

We have described the first algorithm for interactive communication that tolerates an unknown but finite 
amount of noise. Against an adversary that flips T bits, our algorithm sends L + O (^y/L{T + 1) log A -b 
bits in expectation where A is the transcript length of the computation. We prove this is optimal up to 
logarithmic factors, assuming a conjectured lower bound by Haeupler. Our algorithm critically relies on the 
assumption of a private channel, an assumption that we show is necessary in order to tolerate an unknown 
noise rate. 

Several open problems remain including the following. First, can we adapt our results to interactive 
communication that involves more than two parties? Second, can we more efficiently handle an unknown 
amount of stochastic noise? Finally, for any algorithm, what are the optimal tradeoffs between the overhead 
incurred when T = 0 and the overhead incurred for T > 0? 
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